400 - Oauth error invalid_request

Highlighted
New Member
2 0 0

Hello, I am having issues with getting an OAuth Token. The app installs, HMAC is verified the issue is when attempting to do a HTTP request for the access_token. I have verified that the API Key, Secret & Code are valid as these work no problem with Postman. I have quadruple checked that the body params are correct and being sent as per Guzzles documentation but keep getting a 400 Invalid Request. Here is the function below (Laravel).

/**
     * Get Access Token
     *
     * @return string
     */
		public function getAccessToken(Request $request) {
			$client     = new Client();
			$api_key    = env('SHOPIFY_KEY');
			$api_secret = env('SHOPIFY_SECRET');
			$api_code   = $request->code;
			$api_shop   = $request->shop;

			try {
		    $response = $client->request(
	        'POST', 
	        "https://{$api_shop}/admin/oauth/access_token",
	        [
	          'form_data' => [
	            'client_id'     => $api_key,
			        'client_secret' => $api_secret,
			        'code'          => $api_code,
	          ],
	          'debug' => true
	        ]
		    );

			} catch (RequestException $e) {
		    dd($e);
			} catch (\Exception $e) {
		    dd($e);
			}
		}

Here is the debug information from Guzzle:

 

* Trying 23.227.38.64:443... 
* TCP_NODELAY set 
* Connected to lb-laravel.myshopify.com (23.227.38.64) port 443 (#0) 
* ALPN, offering http/1.1 
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH 
* successfully set certificate verify locations: 
* CAfile: /usr/local/etc/openssl/cert.pem CApath: /usr/local/etc/openssl/certs 
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 
* ALPN, server accepted to use http/1.1 
* Server certificate: 
* subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=*.myshopify.com 
* start date: May 2 00:00:00 2019 GMT 
* expire date: May 2 12:00:00 2020 GMT 
* subjectAltName: host "lb-laravel.myshopify.com" matched cert's "*.myshopify.com" 
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2 
* SSL certificate verify ok. > POST /admin/oauth/access_token HTTP/1.1 Host: lb-laravel.myshopify.com Content-Length: 0 User-Agent: GuzzleHttp/6.4.1 curl/7.65.3 PHP/7.3.7 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded 
* Mark bundle as not supporting multiuse < HTTP/1.1 400 Bad Request < Date: Tue, 05 Nov 2019 12:21:00 GMT < Content-Type: text/html; charset=utf-8 < Transfer-Encoding: chunked < Connection: keep-alive < Set-Cookie: __cfduid=dc15330176e031360cda70dd61a5fd29e1572956460; expires=Wed, 04-Nov-20 12:21:00 GMT; path=/; domain=.myshopify.com; HttpOnly < X-Sorting-Hat-PodId: 95 < X-Sorting-Hat-ShopId: 11324129376 < Referrer-Policy: origin-when-cross-origin < X-Frame-Options: DENY < X-ShopId: 11324129376 < X-ShardId: 95 < Cache-Control: no-cache, no-store < Vary: Accept < Strict-Transport-Security: max-age=7889238 < Set-Cookie: _master_udr=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJaWxoTWprMlkyTmxaaTB4TlRFM0xUUmlOelV0T0RjNU55MWtNRGszTkRsak16bGpZemNHT2daRlJnPT0iLCJleHAiOiIyMDIxLTExLTA1VDExOjIxOjAwLjE5OVoiLCJwdXIiOiJjb29raWUuX21hc3Rlcl91ZHIifX0%3D--561d86bc2d1838b5122508003aab6aa23cd7e12c; domain=.myshopify.com; path=/admin; expires=Fri, 05 Nov 2021 11:21:00 -0000; secure; HttpOnly < X-Shopify-Stage: production < Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopify.cn https://checkout.shopifycs.com https://js-agent.newrelic.com https://bam.nr-data.net https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com https://widget.intercom.io https://js.intercomcdn.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=access_token&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Foauth&source%5Bsection%5D=admin&source%5Buuid%5D=4f4e4a47-f73d-4d6a-ba62-a8712971c7fa < X-Content-Type-Options: nosniff < X-Download-Options: noopen < X-Permitted-Cross-Domain-Policies: none < X-XSS-Protection: 1; mode=block; report=/xss-report?source%5Baction%5D=access_token&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Foauth&source%5Bsection%5D=admin&source%5Buuid%5D=4f4e4a47-f73d-4d6a-ba62-a8712971c7fa < X-Dc: gcp-us-east1,gcp-us-central1,gcp-us-central1 < X-Request-ID: 4f4e4a47-f73d-4d6a-ba62-a8712971c7fa < Set-Cookie: request_method=POST; path=/ < Set-Cookie: _secure_admin_session_id=8b3293daee436d3e8cbcdf72cbe1d43e; path=/admin; expires=Wed, 05 Feb 2020 12:21:00 -0000; secure; HttpOnly < CF-Cache-Status: DYNAMIC < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < Server: cloudflare < CF-RAY: 530ec8f3ccd5ebfc-BOS < 
* Connection #0 to host lb-laravel.myshopify.com left intact

Any input would be greatly appreciated.

0 Likes
New Member
2 0 0

Was able to get this working for anyone interest, switched from form-data to json in the request options for the client.

 

 

0 Likes